Nope - never mind. Plenty of successful traffic with the sec-ch-ua* headers.
I'll keep poking re: PH/500 w/o "show errors", and confess here when/how I find it is the result of being ignernt. On Mon, Oct 18, 2021 at 11:41 AM Jim Freeman <[email protected]> wrote: > Ran tcpdump on the proxy in search of useful detail. > Saw these unfamiliar (to me) headers on the PH/500 'd request : > > sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="90" > sec-ch-ua-mobile: ?0 > > Googled, found : https://www.chromium.org/updates/ua-ch, was a tad > FUD'd by > === > Possible Site Compatibility Issue > UA-CH is an additive feature, which adds two new request headers that are > sent by default: `sec-ch-ua` and `sec-ch-ua-mobile`. Those request headers > are based off of Structured Field Values, an emerging standard related to > HTTP header values. They contain characters that, though permitted in the > HTTP specification, weren’t previously common in request headers, such as > double-quotes (“), equal signs (=), forward-slashes (/), and question marks > (?). Some Web-Application-Firewall (WAF) software, as well as backend > security measures, may mis-categorize those new characters as “suspicious”, > and as such, block those requests. > === > > HAProxy tends to be up on all such things, but any chance the PH/500 could > be related ? > > Thanks, > ...jfree > https://www.mail-archive.com/[email protected]/msg41272.html Added headers : content-security-policy: frame-ancestors 'self' https://*.primarydomain.org https://*.related.domain.org; x-frame-options: SAMEORIGIN
